In the first of a new series of articles, Alex Bailey asks: Are you ready for the GDPR?

You may well be asking yourself, “What is GDPR?”, in which case the answer to the above question is a resounding “No” !

However over the next 12 months you are going to hear those 4 letters repeated over and over again because on 25th May 2018, the EU’s General Data Protection Regulation becomes UK law, regardless of the Brexit situation.

The Information Commissioners Office says this is going to be the biggest change to data protection law for a generation when it replaces the now antiquated Data Protection Act 1998. But if you were unfamiliar with GDPR until now, you are certainly not alone. According to the Business Continuity Institute, 84% of UK small business owners and 43% of senior executives of large companies are unaware of the forthcoming GDPR.

From May next year, the scope for the definition of ‘personal data’ becomes a lot wider to cover any information that can be used to identify an individual ‘natural person’ (ie a human being, as opposed to a business corporation, public body or NGO etc.), whether directly or indirectly. That might include less obvious details such as a photo or CCTV recording, an IP address or a mobile phone number. All individuals must give specific and unambiguous consent for their data to be retained. They must be told in plain language what information is being held, for what reason and for how long. The onus will very much be on the data processing organisation to prove they were given explicit consent. Data collected must be necessary, minimal for purpose, fairly and lawfully obtained. There will be new rights for individuals to request disclosure of their data and insist on deletion or transfer to a new service provider. So consideration must be given to how data can be available in a portable format.

Unlike the outgoing Data Protection Act 1998, which is based on opt-in registration, all organisations will be required to show compliance with GDPR and there will be tough penalties for those that do not. The maximum fine for breaking the law will rise from £500k to 20m Euros or 4% of annual turnover, which ever is the greater. Security and privacy must be built into all systems by design. There will be a mandatory requirement that any security breaches are notified to the ICO within 72 hours of discovery. Organizations of more than 250 staff or those carrying out certain bulk data operations will have to appoint a dedicated Data Protection Officer at a senior management level. All other organisations should make sure this role is part of board-level management responsibility.

he GDPR says that data controllers and processors need to:

  • implement pseudonymisation and encryption of personal data;
  • ensure the confidentiality, integrity availability and resilience of systems;
  • have the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;
  • operate procedures for regularly testing the technical and organisational measures for ensuring the security of the data processing.

This implies that well-designed and tested backup and disaster-recovery processes need to be in place. All businesses and their technical management partners must know where all the data is at all times. When data backups are made and stored, these processes and locations must be documented and secured. When staff access, use and copy data, they must be aware of their responsibilities. When data is saved on local PC hard drives or removable media, that also needs to be managed and traceable.
~ Alex Bailey

So, are you really ready for GDPR? With less than 12 months to go, Trichromic is making sure that all our clients are fully aware and ready for these fundamental changes in the law that will affect everyone and we are helping them to audit, plan and implement new procedures with the right technical solutions.

In the next article, we discuss how you can get started on the journey to GDPR –  Part 2: Getting Started
Further reading (on ICO web site)

To read the full text of the official GDPR document: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (General Data Protection Regulation)